iCloud’s Hide My Email is perfect for this. No “+” convention, it just generates a random @icloud.com email address specifically for whatever website/app you’re signing up for, and forwards it to your real email. The random addresses are indistinguishable from real iCloud.com email addresses, there’s no naming convention a website can reject.

I never worry about sites that require signups any more, I just autogenerate an email for them and use a fake name. I couldn’t give a shit less if they get hacked or leak data, because the email and password are randomly generated. If they turn out to spam me I just disable that email address and never hear from them again.

The only people who have my “real” email addresses are people I know personally.

> The random addresses are indistinguishable from real iCloud.com email addresses, there’s no naming convention a website can reject.

That's not remotely true.

The very very very vast majority of actual iCloud email addresses are going to have "dictionary" names. It's quite trivial to detect a randomized address (and at that point, you probably don't even care about a couple of false positives).

Multiple instances of letter-number-letter-number ("b2y4r")? Coupled with letter combinations that don't exist in most languages ("ytbn")? And no dictionary words ("john", "smith", "booklover")? Random address.

Now, whether you care to do business with someone who detects this is a different question altogether.

But they are absolutely distinguishable.

The auto-generated addresses also have dictionary names. They’re explicitly designed to look like addresses that a real person might come up with… typically a dictionary word, followed by some numbers and symbols. Just like other email addresses on popular services where all the good names are taken.

The ones I've seen are like a987dfc429be@icloud.com.

Same with Private Relay: here's one of mine (with one character changed) - 2he5rs923s@privaterelay.appleid.com

You’re thinking about something else. There’s a thing called “Sign In With Apple” that is available when an app/website wants to offer it, that integrates with Apple’s authentication system. The email the app/website sees is a bunch of random characters followed by @privaterelay.appleid.com. But Sign In With Apple is not the same as Hide My Email. SIWA is for when the website opts into Apple as an auth provider.

I just looked at my alias list in iCloud and every single “hide my email” alias looks like a plausible @icloud.com address with dictionary words, and every “sign in with Apple” address is using the privaterelay address with the super random characters. There are no addresses that look like a987dfc429be@icloud.com.

Have you ever had to reply 'from' a random iCloud email? Is it possible?

I faced that with Costco support. My method is custom email on personal domain name. Had to setup email alias in gmail to do so. Was a pain.

I heard about the +, but don't some sites reject it? Or can't bad actors just strip it? You'd need your own domain with a large amount of unique identifiers for it to work if it became popular.

I find it quite rare for systems to reject the + these days. One notable exception is my credit union, whose Web 1.0 system turned it into a space. The most annoying thing about this practice is if you're telling it to a human, they are very confused about your email address having their company's name in it. I occasionally get "do you work here or something?" Every once in a while I'm talking to someone (example: elementary school secretary) who gives me a vibe that they're going to be really thrown off by this and I just make up a three letter unique code for a suffix since I can still search for whoever sent me that first to see what the suffix means.

On the stripping of the + and suffix, yeah, bad actors who recognize your scheme can do that, but spamming is about quantity, not quality, so they just aren't going to put in the effort.

Spamming is about quantity but stripping a "+" is something a one line script can do, which is what will happen if this gets popular. A real solution should be more resilient. Like spam binning anything that does not use the "+" ?

Well, I've always thought it would be fairly easy to strip, but I've now been doing it for 25 years and it's obvious the spammers aren't going to go to even that small effort. I once heard the CEO of wordpress say that it would be easy for them to go after adblockers too, but they explicitly didn't because the userbase that went to the trouble of installing adblockers didn't tend to be a lucrative advertising demographic anyway. It's all about return on your investment.

unfortunately, i disagree; i stopped using plus sign addressing because so many sites i wanted to use it on (many of them for important things like medical stuff) wouldn't accept it

I still miss qmail's convention, which used a - instead. That worked flawlessly everywhere, circa early 2000s.

(I still have some email handling rules for my domain that understand the - aliases I created.)

I think that both conventions are flawed, as adversaries that know the convention can just remove the distinguishing part. If someone signs up with the email address real+spam@example.com, then they're just going to spam real@example.com. Apple's thing where it creates a987dfc429be@icloud.com is much better. Maybe that's the username I selected. Maybe it's an anti-spam forwarding address. There is no way of knowing. (Actually, I think it does something like relay.icloud.com? So yeah, they know it's not your real address. Apple just says "if you reject this, you can't have an iPhone app", which is what makes it work.)

Following my navel gazing idea, the trick is that mail to real@example.com just gets spam binned automatically. Anyone who has any business emailing your should have an real+randomuniqueid@example.com email address to send to you. It's almost like the randomuniqueid is a password to your inbox.

Unfortunately, this is only for email no such thing for phones or anything.

I like that!

A certain tongue-in-cheek email provider [0] uses . (a dot) for this purpose, i.e. username.anything@domain.tld. Spammers could remove the distinguishing part here too, but they can't be bothered to keep a list of all the conventions used by different providers, so I think it should work pretty well.

(Personally I use a dedicated catch-all domain now, and the username is the distinguishing part – try to remove that!)

[0]: https://cock.li/, they do have SFW domains though

Not all mail servers treat a+b@a.com and a@a.com as the same email.

By equal token, you can't be sure that the email address doesn't actually just contain a plus sign.

I was disappointed to find out at work recently that the plus convention was not configured. It made testing account signups more difficult. This is when I dug in a bit and found it that it depends in the mail server for whether those are unique addresses or not.

> Apple's thing where it creates a987dfc429be@icloud.com

Still trivial to detect. Random letter/number combinations, letter combinations that don't exist in the dictionary, no dictionary word? Pretty detectable.

Meh, some actual customer probably uses that as their email address. xXxreaperMainxXx69@gmail.com is probably a real address.

Apple has this as a service now. It's more automatic than the GMail process and works well.

A weakness with the GMail process is that spammers are able to remove the + part (even if most don't), and your credentials or identity can be aligned across leaked credential databases by removing the + part.

They can, but in my case that still doesn't get them in my inbox since those messages go elsewhere.

It seems like this approach is really popular. Have no spammers/data brokers caught on and started stripping the +identifier?

Can't you just reject email that comes in to the base address without the identifier?

If they were really smart, they'd parse and use that info to their advantage. Have info+autozone@domain.com? Send company-specific phishing emails to +apple, +wellsfargo, +$POPULAR_COMPANY every other week